Citizen Labs have yet again discovered a zero-click exploit related to NSO Group’s Pegasus Spyware. The exploit target’s Apple’s iMessage service, specifically the image rendering library, is effective against iOS, macOS, and WatchOS devices.
The exploit, named ForcedEntry, has been detailed in Citizen Labs’ report published Monday and is believed to be in use since February 2021. The exploit had surfaced last month when Citizen Labs reported that the Bahraini Government was spying on nine activists, some of which were hacked using the ForcedEntry exploit.
The discovery and code have been reported to Apple, which has assigned the CVE code CVE-2021-30860 to the exploit and has released an update to patch the exploit.
According to Apple, iPhones running versions older than iOS 14.8, Macs running macOS prior to OSX Bug Sur 11.6 (Security Update 2021-005 Catalina) and Apple Watches prior to watchOS 7.6.2 are still vulnerable to the exploit.
Deleting GIFs in a jiffy
Citizen Labs had inspected the phone of a Saudi activist back in March 2021 to determine whether or not they’ve been hacked by Pegasus and had obtained an iTunes backup during the process.
During a recent re-analysis of the backup, the company found several files with a .gif extension which they determined were sent to the phone right before it was hacked by Pegasus, indicating that the payload might be among these files.
As the format of the files matched with two types of crashes already observed on another phone affected by Pegasus, Citizen Labs reported these artefacts to Apple under suspicion of them containing parts of the Forcedentry exploit chain.
On Monday, Apple confirmed that these files do, in fact, contain a zero-day exploit against iOS and macOS devices. The exploit has been described as “processing a maliciously crafted PDF may lead to arbitrary code execution.” The exploit works by taking advantage of an integer overflow vulnerability in CoreGraphics, Apple’s image rendering library.
The fact that the exploit uses multiple process names, including ‘setframed’ and a forensic artefact called CacadeFail, led Citizen Labs to attribute the exploit to Pegasus and eventually NSO group as these elements have been observed in previous Pegasus exploits.
This isn’t the only vulnerability Apple patched on Monday, either. Another vulnerability called CVE-2021-30858 was reported by an anonymous researcher was patched. The issue has been described as “processing maliciously crafted web content may lead to arbitrary code execution.”